Secure Coding mailing list archives

Re: Change of position

From: ljknews <ljknews () mac com>
Date: Thu, 01 Apr 2004 21:28:48 +0100

At 10:09 AM -0500 4/1/04, Gary McGraw wrote:

Hi all,

I have done lots of soul searching lately and have come to the
conclusion that trying to make software secure is not worth the effort.
I think instead we should concentrate more effort on protection
technologies such as advanced stateful firewalls, intrusion detection
mechanisms, host-based behavior control, and above all policy.  We
simply can't make software work effectively in a cost effective manner.

I hope all of you will agree.


I realize it is April Fools day, but all the "host-based behavior
control" I have encountered is implemented by operating system software.
If that software cannot be made secure, there is no hope.

The major timewasting I see in software security is the leap of faith
from:

        theoretically, safe code can be written in any language

to:

        using "any language" to write safe code can be done within
        real-world economic constraints.

Current thread:

Change of position Gary McGraw (Apr 01)
- Re: Change of position Dana Epp (Apr 01)
- Re: Change of position ljknews (Apr 01)
- <Possible follow-ups>
- RE: Change of position Gary McGraw (Apr 01)
  - RE: Change of position Dave Paris (Apr 02)
- Re: Change of position Peter G. Neumann (Apr 02)